Malware created for Christmas is currently spreading all over the world. The executable program mines the crypto currency Monero on the target computers and tries to send the credit to the Kim Il-sung University in Pyongyang. However, as the security researchers at AlienVault report, this fails in most cases.
So far it is unclear whether are they actually North Korean hackers or if someone is just trying to make it look that way. As AlienVault reports, the transfer of the scrapped Monero credit failed, because the host registered in the source code is unknown. The installer may initially run exclusively on a locked network, the address of the target computer may no longer exist, or, most likely, someone is trying to deceive the security researchers and make it look as if North Korea is behind the new malware attack.
It could also be that it is an early beta version of the program that was unintentionally distributed. It happened with the permission of computer’s owners. All this would at least explain why the scrapped credit can not be successfully sent to the North Korean Kim Il-sung University in Pyongyang. Even the password used by the hackers “KJU” is clearly aimed at North Korea, because these are the first letter of the ruler Kim Jong-un. However, it is questionable why the hint should be placed so clearly.
In view of the economic sanctions, the use of crypto currencies is of great interest to North Korea. Especially when using Monero nobody can follow the trail of money. According to media reports, North Korea is currently focusing on hacking wallets to gain assets. The South Korean secret service has repeatedly stated that North Korea is involved in cyber attacks on South Korean online trading venues. The most recent victims are the trading venues YouBit and bithumb just to name two examples. Also suspected are the North Korean hacker groups Bluenorroff and Andariel, which have installed first malicious software after the successful acquisition of several company servers for mining by Monero. These attacks currently have nothing to do with malware! The currently widespread installer was programmed quite amateurishly in Visual Basic, according to AlienVault. According to the security researchers, this approach does not look similar to any of the aforementioned hacker groups.
Check out our mining system: Free Registration! (One Click)